🏷️Table of Contents

Initial Recon
1.1 Directory Enumeration
robots.txt Discovery
Manually request the hidden path
I TRIED and I FAILED MANY TIMES
Then I decided to STOP COMPLICATING my life
Conclusion

Enumerate a Flask web app, discover hidden paths, gain admin access and retrieve the flag. Eh.

Initial Recon

I started with basic web enumeration against the target service on port 5000.

Directory Enumeration

I used GOBUSTER to brute force common directories and files, syntax: gobuster dir -u http://TARGET_IP:5000/ -w /usr/share/wordlists/dirb/common.txt The outcome:
/robots (JACKPOT!)
/console (returned 400 which indicates route exists)

robots.txt Discovery

Hence, I fetched robots file with command: curl http://TARGET_IP:5000/robots.txt Inside the .txt file I found some data that I understood as a password into the mentioned “hidden” directory (bare with me).

Manually request the hidden path

… with command: curl -i http://TARGET_IP:5000/HIDDEN_DIRECTORY_NAME/

Afterwards server returned the HTML with secret message:

HIDDEN_DIRECTORY_NAMe “You’ve found the secret HIDDEN_DIRECTORY_NAME, but there’s more to discover…”

I TRIED and I FAILED MANY TIMES

admin login endpoint with curl POST requests: curl -s -X POST http://TARGET_IP:5000/SECRET_DIRECTORY_NAME/administrator -d "username=test&password=test" | wc -c
tried robots.txt pwd
tried alternate usernames
tried SQL injection payloads
tried auth header tests

Then I decided to STOP COMPLICATING my life

I went back into the browser, changed the URL, logged into the secret directory and got flag.

❓What is the flag?
THM{l***_**_**_***_******_**t}

Conclusion

Sometimes, it’s best to just stick to the simplest path.

Hidden Deep Into my Heart

Find what's hidden deep inside this website.